Why call centres aren't really risking your credit card details

According to a new survey by a company that has plenty to gain from the results, businesses are potentially exposing their customers to data theft by failing to erase recorded calls containing personal data and credit card information.

The survey by Veritape, which sells business software for recording phone calls in call centres - no interest at all in the results of their own survey, then - claims just three per cent of UK call centres comply with industry guidelines; the other 97 per cent store unedited customer calls. Less than four in ten businesses were aware of the Payment Card Industry rules which state card details must not be stored once transactions have been completed.

Viritape say it is "relatively straightforward" for a hacker to data mine these call recordings, and that "successful hacking incidents are rising steadily.” Everyone else who has blindly reproduced their findings seems to agree with the assessment, even though it appears journalists have simply cut and paste the details. The Times, for example:

Oh. Right. The thing is, we're struggling to find any notable examples of fraud committed in this way. Despite the claimed ease, we can't find a single incident of recorded phone conversations been stolen remotely and the data within used to commit credit card fraud. The Telegraph publishes some figures, but these are generic figures that refer to "phone, internet and mail order fraud" rather than capturing data through the very specific method that the entire story rests on. We're not saying it hasn't happened, we're just unsure why an increasingly popular and "relatively straightforward" method of stealing credit card information hasn't led to several high profile news stories, besides those that appeared today repeating the claims of a survey conducted by a company with a vested interest in the outcome.

Of course it's not acceptable for call centres to store personal data on the sly, but it's somewhat difficult to ascertain whether this scaremongering PR exercise highlights any genuine threat to consumers. In the same way that writing your online banking passwords on a slip of paper in Urdu and hiding it under the floorboards potentially puts your finances at risk from burglars, there is a possibility your recorded phonecalls could be hacked - but the problem appears far less significant than anyone, either the company looking to line their pockets or the newspapers desperate to fill their pages, would have you believe.

UPDATED 17/10: The Times has amended their description of Veritape for the print version of the story:

Thereby proving they didn't simply shamelessly cut and paste from the original press release. The new version of the story also now attempts to justify Veritape's claims:

"Veritape says that “data mining” of audio recordings — when criminals hack into the recordings — is relatively straightforward and has occurred in at least one UK bank in the past 12 months."

So despite the inference by Veritape that this is an increasingly common problem, they have one example of it occurring at one company in the whole country, in a year. That's one incident, despite thousands of companies using call centres to deal with millions of customer transactions every day - and there's still no detail of which company it was, when it occurred, how many customers were affected or indeed any other facts concerning the matter.

If your aim is to panic the public (to quote Veritape in the press, "this practice ought to send a shiver up the spine of card providers") it's pretty important to have a case study to prove your point, whether you're the company pushing the research of the media reproducing it as news.

7 comments

Matt. S.

I expect there are much easier ways of getting hold of credit card numbers at the moment. Of course if the software these people make uses some kind of voice recognition to detect credit card numbers in the digital recordings and then erase them, then perhaps that coud be hacked to easily steal credit card numbers.

Yeah, the coverage of this story in the mainstream press seems to use stats for very generic types of fraud to justify the threat described - remotely hacking digital recordings seems to be a convoluted method of extraction credit card information with no obvious track record in success.

As a call centre worker, I can say it is loads easier to simply get a dodgy employee in to get you card details. Which is, oddly enough, often how it is done. But even more common is the hacking of store websites for POS info.

I've been involved in a PCI compliance audit working for a major high street retailer and they didn't bring up removing of call recordings with CC numbers on at all.
I think this is just a bit of marketing spiel

Dan - don't lie. We all know that that's a lie, and you're just trying to make yourself sound important.
"Ooohhh..... I've been involved in a PCI compliance audit
"Wow Dan - fuck me, that's great. Who do you work for?
"I work for a MAJOR high street retailer
"Jesus fucking H Christ Dan - You are THE MAN!!! I wish that I too could work for a major high street retailer, instead of your mum.
Fuck off, grow up, and keep your poxy opinions to yourself.
Incidentally, if the topic of removing recording with CC details was never brought up, you're still compliant as you're still breakin the law... breakin the law.

[...] with a vested interest is pushing it for the sake of his own agenda, or is it another example of paper-thin churnalism where press releases are dressed up as news stories by reporters so squeezed for time that [...]

[...] are two issues here; one is a running theme the avid readers of Bitterwallet will be well aware of; newspapers are becoming increasingly consistent in cutting and pasting press releases and passing [...]